Wednesday, 1 July 2015

Yesterday Apple has released a security update 2015-005 which included fixes for two vulnerabilities related to font parsing in OS X that i have reported to the ZDI. See original advisories for CVE-2015-3679 and CVE-2015-3680.

I checked it out and as for today (22 Jun 2015) it crashes the latest Internet Explorer 11. The crash log looks interesting:
The proof of concept from the post is huge so i decided to downsize it a bit and here it is:
Certainly more readable. As usual maybe someone will find it useful.

From one of the comments in the stackoverflow discussion, we can see that Microsoft is already looking into it (23 Jan 2015).

Friday, 3 April 2015

A quick post about two crashes i found in tcsh (default FreeBSD shell, however the BSD version does not segfault) and mksh (default shell on Android). As i'm not planning to research it further, i will just leave it here. Maybe someone will figure out if any of this can be exploited somehow.

tcsh:
1. Affected version
tcsh 6.18.01 and maybe older. FreeBSD version handled it just fine.

Where the last byte marked with red color can be anything > 0x79 to trigger the crash.

Android shell / mksh:

1. Affected version
mksh-R50e and maybe older. Tested on latest source version and a Nexus with Android 5.0.1

2. PoC

D:\Android\sdk\platform-tools>adb shell # run shellshell@mako:/ $ cd sdcard # must be a dir that is not read-onlycd sdcardshell@mako:/sdcard $ 4444444444444>4 # actual input that causes the crash4444444444444>4

D:\Android\sdk\platform-tools> # our shell died

It seems to crash at exec.c:1415 in function iosetup()
if (e->savefd[iop->unit] == 0) {

update:
by manipulating the first part of the expression we can control EAX and EBP value:
e.g.

Tuesday, 10 February 2015

In this months bulletin Microsoft has fixed multiple vulnerabilities in Internet Explorer including one which was mine. It was an integer overflow in the CShadow filter which could lead to remote code execution. It affected Internet Explorer 10 and 11. You can find the original ZDI advisory here and the Microsoft Bulletin here.

There is some confusion when it comes to CVE assignment, as Microsoft acknowledged me for CVE-2015-0035 (also credited to Sky) while ZDI marked my bug CVE-2015-0036 which is credited to an anonymous researcher on the bulletin page. I will update this post if something changes regarding to that.